- Victim loses over $ 1 million worth of BAYC NFTs
- The heist was perpetuated via social engineering
Bored Ape Yacht Club (BAYC) NFTs are one of the most predominant elements produced by the crypto culture. Unfortunately, as one of the well-known collections in the NFT space, it has become a significant target for hackers, scammers, and other unsavory players.
As the NFT space continues to grow, so does the complexity of exploits and hacks perpetrated against it. This was evident over the weekend as a sophisticated scheme was used to steal many Bored Ape NFTs.
BAYCs Have been Hacked Before
The practice of hacking and exploiting owners of Bored Apes is nothing new. Over the past year, we have witnessed various successful BAYC exploit attempts, ranging from stealing Hollywood actor Seth Green’s bored ape to full Discord exploits.
Although these exploits are not the fault of Yuga Labs, they continue to illustrate how vital wallet security is for owners of the popular NFT collection. Furthermore, the presence of these exploits is far from exclusive to the Bored Ape Yacht Club and can be found in all of the significant ‘blue chip’ NFT collections.
During the weekend, there was another example of social engineering used unprecedentedly, which reminded the community that being meticulous and detail-oriented is insufficient to protect your assets in the modern world.
A Closer Look at The Heist
During the recent breach, 14 Bored Ape Yacht Club NFTs were stolen through a sophisticated social engineering scheme involving a single owner.
While there is no doubt that this is the next level of hacking that illustrates the extent of detail and work these exploiters are willing to pass through in today’s society. The hacker was able to liquidate the NFTs for approximately 850 Ethereums, or just over $1 million in this case.
Popular Web3 Security Analyst @Serpent breaks down the story in a Twitter thread concisely and with great detail.
The scammer contacted the victim, asking for permission to license intellectual property rights for BAYC#2060. The scammer portrayed themselves as a casting director at a Los Angeles-based studio seeking to license the NFT for a substantial fee.
The studio the scammer used to front exists, but the alias the scammer used does not. The perpetrator went to great lengths to make the scam look real, including props like fake email domains, fake partnership pitches, and long hours of phone calls to the victim.
After going through the contracts and discussing terms, the scammer sent the victim an email stating they “sent a bid” through Unemployd.
The victim proceeded to “sign the contract on” Unemployd, where the wallet drain took place.
The scam website displayed a gas-less Seaport signature, which the hacker claimed to need to sign for the license. However, the signature created a private bundle listing all of the victim’s BAYCs to the scammer for 0.00000001 ETH.
The scammer’s wallet, funded by Secret Network, then ran a smart contract function to complete the private sale. The scammer accepted the highest WETH offers on all the NFTs and then converted the 852.86 WETH to 1.07m DAI. Finally, the hacker transferred the funds to a new wallet, where the funds are currently dormant.
The heist was coming along, with the scammer spending months preparing for its execution.
Preventing Future Theft & Scams
The scam illustrates the importance of using cold storage for high-value NFTs and other crypto assets; they are the safest option, as signing and interacting with smart contracts can be a big risk.
In his thread, Serpent concluded that using multiple wallets, verifying identities, and not signing random signatures or transactions are essential for NFT holders.